Integral Cryptanalysis on reduced-round Safer++

In this paper we describe an integral distinguisher over 2 rounds of Safer++. It allows a practical attack against 3 rounds of Safer++128, as well as attacks on 4 rounds of Safer++128 and Safer++256, under the chosen-plaintext hypothesis. These results achieve much lower complexity than the currently known best attacks on Safer++, namely weak-key linear cryptanalysis by Nakahara. As a side result, we prove that the byte-branch number of the linear transform of Safer++ is 5. We also discuss a way for further research in order to extend integral cryptanalysis

Survey and Benchmark of Block Ciphers for Wireless Sensor Networks

Cryptographic algorithms play an important role in the security architecture of wireless sensor networks (WSNs). Choosing the most storage- and energy-efficient block cipher is essential, due to the facts that these networks are meant to operate without human intervention for a long period of time with little energy supply, and that available storage is scarce on these sensor nodes. However, to our knowledge, no systematic work has been done in this area so far.We construct an evaluation framework in which we first identify the candidates of block ciphers suitable for WSNs, based on existing literature and authoritative recommendations. For evaluating and assessing these candidates, we not only consider the security properties but also the storage- and energy-efficiency of the candidates. Finally, based on the evaluation results, we select the most suitable ciphers for WSNs, namely Skipjack, MISTY1, and Rijndael, depending on the combination of available memory and required security (energy efficiency being implicit). In terms of operation mode, we recommend Output Feedback Mode for pairwise links but Cipher Block Chaining for group communications

Mini-ciphers: a reliable testbed for cryptanalysis?

This paper reports on higher-order square analysis of the AES cipher. We present experimental results of attack simulations on mini-AES versions with word sizes of 3, 4, 5, 6 and 7 bits and describe the propagation of higher-order Lambda-sets inside some of these distinguishers. A possible explanation of the length of the square distinguishers uses the concept of higher-order derivatives of discrete mappings

Cryptanalytic Attacks on IDEA Block Cipher

International data encryption algorithm (IDEA) is a secret key or symmetric key block cipher. The purpose of IDEA was to replace data encryption standard (DES) cipher, which became practically insecure due to its small key size of 56 bits and increase in computational power of systems. IDEA cipher mainly to provide data confidentiality in variety of applications such as commercial and financial application e.g. pretty good privacy (PGP) protocol. Till 2015, no successful linear or algebraic weaknesses IDEA of have been reported. In this paper, author explained IDEA cipher, its application in PGP and did a systematic survey of various attacks attempted on IDEA cipher. The best cryptanalysis result which applied to all keys could break IDEA up to 6 rounds out of 8.5 rounds of the full IDEA cipher1. But the attack requires 264 known plaintexts and 2126.8 operations for reduced round version. This attack is practically not feasible due to above mention mammoth data and time requirements. So IDEA cipher is still completely secure for practical usage. PGP v2.0 uses IDEA cipher in place of BassOmatic which was found to be insecure for providing data confidentiality

Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family

This paper investigates the degradation properties of Boolean functions from the aspects of the distributions of dierences and linear masks, and shows two characterizations of the degraded Boolean function. One is that there exists a linear space of the input dierences, where the dierentials with the zero output dierence have probability 1; Another one is that the input linear masks of the nonzero-correlation linear approximations are included in a linear space. Those two linear spaces are orthogonal spaces. Moreover, the degradation properties are showed about the exponentiation type S-box of the SAFER block ciphers, which are applied to reduce the compute complexity in the zero-correlation linear attacks on 5-round SAFER SK/128, 4(5)-round SAFER+/128(256) and 5(6)-round SAFER++/128(256). In the attacks, some of the linear properties of PHT employed as the linear layer by the SAFER block ciphers are investigated and some zero-correlation approximations for SAFER SK, SAFER+, and SAFER++ are identied, when only the least one or two signicant bits are considered. The results show that more rounds of some of the SAFER block ciphers can be attacked, by considering the degradation properties and the zero-correlation linear relations

A Salad of Block Ciphers

This book is a survey on the state of the art in block cipher design and analysis. It is work in progress, and it has been for the good part of the last three years -- sadly, for various reasons no significant change has been made during the last twelve months. However, it is also in a self-contained, useable, and relatively polished state, and for this reason I have decided to release this \textit{snapshot} onto the public as a service to the cryptographic community, both in order to obtain feedback, and also as a means to give something back to the community from which I have learned much. At some point I will produce a final version -- whatever being a ``final version\u27\u27 means in the constantly evolving field of block cipher design -- and I will publish it. In the meantime I hope the material contained here will be useful to other people

Quantitative security of block ciphers:designs and cryptanalysis tools

Block ciphers probably figure in the list of the most important cryptographic primitives. Although they are used for many different purposes, their essential goal is to ensure confidentiality. This thesis is concerned by their quantitative security, that is, by measurable attributes that reflect their ability to guarantee this confidentiality. The first part of this thesis deals with well know results. Starting with Shannon's Theory of Secrecy, we move to practical implications for block ciphers, recall the main schemes on which nowadays block ciphers are based, and introduce the Luby-Rackoff security model. We describe distinguishing attacks and key-recovery attacks against block ciphers and show how to turn the firsts into the seconds. As an illustration, we recall linear cryptanalysis which is a classical example of statistical cryptanalysis. In the second part, we consider the (in)security of block ciphers against statistical cryptanalytic attacks and develop some tools to perform optimal attacks and quantify their efficiency. We start with a simple setting in which the adversary has to distinguish between two sources of randomness and show how an optimal strategy can be derived in certain cases. We proceed with the practical situation where the cardinality of the sample space is too large for the optimal strategy to be implemented and show how this naturally leads to the concept of projection-based distinguishers, which reduce the sample space by compressing the samples. Within this setting, we re-consider the particular case of linear distinguishers and generalize them to sets of arbitrary cardinality. We show how these distinguishers between random sources can be turned into distinguishers between random oracles (or block ciphers) and how, in this setting, one can generalize linear cryptanalysis to Abelian groups. As a proof of concept, we show how to break the block cipher TOY100, introduce the block cipher DEAN which encrypts blocks of decimal digits, and apply the theory to the SAFER block cipher family. In the last part of this thesis, we introduce two new constructions. We start by recalling some essential notions about provable security for block ciphers and about Serge Vaudenay's Decorrelation Theory, and introduce new simple modules for which we prove essential properties that we will later use in our designs. We then present the block cipher C and prove that it is immune against a wide range of cryptanalytic attacks. In particular, we compute the exact advantage of the best distinguisher limited to two plaintext/ciphertext samples between C and the perfect cipher and use it to compute the exact value of the maximum expected linear probability (resp. differential probability) of C which is known to be inversely proportional to the number of samples required by the best possible linear (resp. differential) attack. We then introduce KFC a block cipher which builds upon the same foundations as C but for which we can prove results for higher order adversaries. We conclude both discussions about C and KFC by implementation considerations